skip to Main Content

I am coding an unofficial twitter api for myself. Then I send a get to this api using the console screen in my browser with the following method.

function httpGet(theUrl)
{
    var xmlHttp = new XMLHttpRequest();
    xmlHttp.open( "GET", theUrl, false ); // false for synchronous request
    xmlHttp.send( null );
    return xmlHttp.responseText;
}

such

httpGet(https://localhost:44311/WeatherForecast/alienationxs/true);

the problem is that when i do this via www.google.com it’s ok and json data reaches me. but when I do it via twitter.com I get the following error.

enter image description here

via google.com

enter image description here

my cors settings on api

public void ConfigureServices(IServiceCollection services)
        {
            services.AddControllers();
            services.AddCors(options =>
      options.AddDefaultPolicy(builder =>
      builder.AllowAnyHeader().AllowAnyMethod().AllowAnyOrigin())); ;
           
            services.AddMvc();
            services.AddSwaggerGen(c =>
            {
                c.SwaggerDoc("v1", new OpenApiInfo { Title = "twitterAPI", Version = "v1" });
            });
        }

        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
           
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
                app.UseSwagger();
                app.UseSwaggerUI(c => c.SwaggerEndpoint("/swagger/v1/swagger.json", "twitterAPI v1"));
            }

           
            app.UseRouting();
            app.UseCors(builder => builder
             .AllowAnyOrigin()
             .AllowAnyMethod()
             .AllowAnyHeader());
            app.UseAuthorization();
            app.UseEndpoints(endpoints =>
            {
                endpoints.MapControllers();
            });
        }

all i want is to reach my api via twitter.com just like google.com.

2

Answers


  1. The Twitter API does not support CORS.

    Login or Signup to reply.
    1. First, let’s separate the flies from the cutlets.
    • Cross-Origin Resource Sharing (CORS) – is a separate security layer.

    • Content Security Policy (CSP) – is a separate security layer, it’s appied before CORS. After passing through CSP yous can face with CORS if last one is breached.

    As you can see from error message "… because it violates the following Content Security Policy directive …", you faced with CSP violation therefore your CORS settings have no mean.

    1. What’s goin on.

    You enter twitter.com web page and tries to execute connect request to localhost:44311 on behalf of twitter web page. But twitter’s web page protected by CSP which forbid such requests:
    enter image description here
    Pay attention on ‘connect-src’ directive, which governs XMLHttpRequest().

    The www.google.com web page does not have CSP, therefore you request on behalf of google does success.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search